Power Sector Peril: Unmasking The Threats Of Cyber Security

Before understanding the cyber challenges, first let us have an overview of the electricity sector in the country. Officially in 2021, from a power deficit country, India turned into power surplus nation. From 2014 to 2021, the country added power generation capacity of 160.8 GW, consisting of 83920 MW from fossil fuels while 76, 900 MW were from renewable sources. Ministry of power is one of the most promising ministries of the Indian government. In India, power is generated at three levels, centre, states and private. Private sector has the largest share of around 50% (2,10,278 MW), while the centre and states have 24% (1,00,005MW) and 25.5% (1,05,726) MW respectively.

Most of the energy is generated from fossil fuels. Though India has become a power surplus nation, power distribution is not equal, especially the areas in the north eastern part of the country face energy deficit. Universalization of sustainable energy at cost effective prices is still a dream. Though a lot of progress has been achieved in case of rural electrification, the quality of supply is still questionable. Automation of critical infrastructure, the smart grid mission all have given the technological edge to Indian power sector but have also immensely increased the risks of cyber-attacks. The recent attacks on the Indian power grid in Ladakh have garnered national security interest. A ransomware gang Hive, recently hacked important data from Tata Power and leaked it on dark web. Recent attacks in the Madhya Pradesh Power Management Company Limited (PMCL) were so grave that IT team from Delhi was called for audit. Email ids of top officers were hacked creating a buzz even at the national capital. Earlier the server of the company was also hacked which brought the online services to a standstill. Such attacks have necessitated a strong need for cyber security laws exclusively for the power sector.

India has many legislations regulating the power sector. The most prominent is the Electricity Act 2003. It is the most comprehensive and exclusive legislation for power sector and consolidates all laws relating to generation, transmission, distribution and use of electricity. National Electricity Policy is the document that outlines the overall framework for developing India's electricity sector. The policy was first formulated in 2005 and was later revised in 2018. The key features of the policy were in consonance with the Act and aimed at rural electrification, sustainable and efficient energy distribution, transmission and generation. Recently, The Government of India established the National Smart Grid Mission (NSGM) in 2015 for planning and monitoring the implementation of smart grid policies and programs in India. The main goal of smart grids is to improve the reliability of power grids and make the grid suitable for the input of renewable energy through distributed generation.

From the cybersecurity perspective, the most crucial guidelines were released by Central Electricity Authority (CEA) in 2021.

The CEA (Cybersecurity in Power Sector) Guidelines, 2021 are first in the country to acknowledge the fact that the gap myth between the Information Technology (IT) and Operational Technology (OT) systems now stands shattered. Accordingly, six CERT’s have been created. Each CERT would have its own Cyber Crisis Management Plan (C-CMP) to counter cyber-attacks and cyber terrorism. There are various types of cyber threats but in order to understand the manner in which they can affect power sector, it would be easier to see it according to various stages of power sector.

The first stage is electricity generation. The safety mechanisms of the plants can be tampered with. A cyberattack can manipulate the readings at the generation plants which can cause massive disruption in transmission lines. Such malwares or viruses can attack the power controlling system of the plants. Impact of Distributes Denial of Service (DDoS) attacks on advanced metering infrastructure is also quite high. In such attacks the targeted system is flooded with so much traffic that it becomes almost unresponsive, thus making it difficult for the operators to manage the plant. Such incident occurred in India in 2016 when IRCTC website was hacked by hackers from multiple locations. Though IRCTC later clarified that so such attack was successful but the attackers showed the loopholes in the cybersecurity system.

Another type of cyber threat targeting power stations is Advanced Persistent Threat (ATP). As the name suggest, these threats do not cause immediate damage but persistently gather critical information by using stealthy techniques. This is one of the most sophisticated and well-funded attacks. Social engineering is another type of attack which can affect power plants. As humans themselves are the most vulnerable part of the system, social engineers manipulate the victims for disrupting the power grids. This method is superior to most other forms of hacking as it can breach even the most secure systems.

The second stage is the transmission. It has scope of innumerable cyber threats, attack on the substation control system being the most common. In 2015, a cyber-attack on Ukrainian power grid resulted in massive power outage. The malware was implanted in the substation control systems leading to manipulation of transmission line also causes power outages. Variations in voltage flows can harm not only the equipment but also human lives. Cutting transmission lines or modifying the circuit breaker is capable of causing massive power outages. Every substation has a transformer. Transformers are at great risk not only from cyber-attacks but also physical damage. Phishing attacks are also quite common at this stage of power supply. Another major issue can be bringing physical damage to the transformer which is a two-step attack. At first, the attack could disable the protection and then it can bypass the switches. Such bypassing would overload the transformer in the substation and might cause blackout in the entire neighborhood.

Electricity (Transmission System Planning, Development and Recovery of Inter-State Transmission Charges) Rules, 2021 were promulgated recently. But as discussed above technology has two sides. Inter-state transmission would not only bring efficient and cost-effective power to the consumers but it would also widen the range of cyber-attacks. If one substation is compromised, the risk of blackout/brownout would increase and impact of such attacks would be devastating.

The final stage is distribution of power supply. India has many schemes specifically for distribution of electricity. Restructured Accelerated Power Development and Reforms Program (R-APDRP) is one such scheme. It focuses on establishment of reliable automated systems for collecting accurate baseline data and use of IT for energy accounting. Integrated Power Development Scheme (IPDS) focuses on strengthening sub-transmission and distribution network in urban areas.

IT enablement of the distribution networks is another key objective of this scheme. Deen Dayal Upadhyay Gram Jyoti Yojana, Saubhagya schemes are few schemes whose prime target is rural electrification using automated systems. With modern sophisticated technologies, manipulating these automated systems using social engineering or DDoS is not very difficult for attackers. Opening circuit breakers in a local distribution yard and cutting off power to thousands of residents is another way hackers can use to disrupt the distribution system. There are several examples at international level of such power outages. The worst form of cyber-attack would be cascading power failures. This would not only affect the transmission lines but also the whole distribution systems.

The power grids have evolved into smart grids. The cyber landscape within these grids as critical infrastructure is changing profoundly. Repeated attacks within a short-span in the power grid of Ladakh region as well as attack on an international icon like Tata Motors signify that the current cyber policies need upgradation. Both Indian government as well as Tata Motors affirmed that they faced cyber-attacks but fortunately the attacks failed. The report prepared by US based cybersecurity company Recorded Future, also suggested that Chinese hackers had attacked seven Indian power hubs. All these facts necessitate the need a stern cyber security regime for the power sector. For continuous power supply, across the nations all the physical as well as cyber threats need to be acknowledged and worked on. Safeguarding the Indian power sector against cyber threats is of utmost importance in ensuring the stability and reliability of the nation's critical infrastructure.

The guidelines issued by Central Electricity Authority (CEA) 2021, provide a comprehensive framework which addresses the specific security requirements for power companies. It emphasizes the need for regular audits, incident response plans, and other security measures. It also offers a roadmap for bolstering cybersecurity defences. Adhering to these guidelines will not only protect critical infrastructure but also ensure the uninterrupted functioning of the power grid in the country. Organizations must go beyond mere compliance and as suggested in CEA guidelines, must develop their own customized policies and procedures for addressing the unique challenges they face. Measures like vulnerability assessment, network segmentation, multi-factor authentication can save the sector from cyber threats only even followed rigorously. Vulnerability assessment involves periodic evaluation of the system which would identify and address the potential weakness in the system while network segmentation divides network into several segments with strict access control. This limits unauthorized access and prevents lateral movements. Providing credentials at multiple levels while accessing the system would again give an extra security to the system saving it from potential cyber threats.

Complying with industry standards such as ISO/IEC 27001 and the NIST Cybersecurity Framework would also ensure baseline cybersecurity. These standards provide internationally recognized benchmarks for managing and mitigating cybersecurity risks. Allying with these industry standards will not only be beneficial for the Indian power sector but would also bring them at par with the global practices. More tailor-made solutions can be provided if cyber security experts, grid operators and policy makers collectively team to check the threats. If this is done, continuous power supply would be available to all the citizens of the country despite their varied geographic or socio-economic condition.

Dr. Manish Yadav, Associate Professor at National Law Institute University, Bhopal & Dr. pooja Kiyawat, Assistant Professor at National Law Institute University, Bhopal. Views are personal.